The former basic CORS support which implemented an "allow all origins" policy in CaasConfig was replaced by a fully configurable implementation. See the deployment manual about how to configure CORS on headless (properties caas.cors.* ).

The default CORS configuration now sets its own installation host as the only allowed origin. As a consequence, existing client applications might break and require additional configuration.

(CMS-21831)